--- begin forwarded text
Delivered-To: [EMAIL PROTECTED]
Date: Thu, 11 Aug 2005 15:10:52 -0400
To: Philodox Clips List <[EMAIL PROTECTED]>
From: "R.A. Hettinga" <[EMAIL PROTECTED]>
Subject: [Clips] The summer of PKI love
Reply-To: [EMAIL PROTECTED]
Sender: [EMAIL PROTECTED]
<http://www.infoworld.com/article/05/08/10/33OPstrategic_1.html>
InfoWorld
The summer of PKI love
Dartmouth College's PKI Deployment Summit showed public key infrastructure
moving forward
Strategic Developer, By Jon Udell ?
August 10, 2005
The annual PKI Deployment Summit at Dartmouth College is becoming a summer
tradition. Universities differ from other large enterprises in ways that
make them bellwethers for IT's future. University user populations are
transient, platform monocultures cannot be imposed, and collaboration
across institutional borders is mission-critical. These are excellent
circumstances in which to evolve methods of identity management that will
also meet the requirements of corporations as they increasingly outsource,
connect with customers through the Web, and engage with partners in
federations of Web services.
One reason for PKI's slow uptake has been the lack of two kinds of
portability. It hasn't been easy to move cryptographic keys from one
machine to another, or to use credentials issued by one institution at
another. But as we learned at the summit, there's been progress on both
fronts. Growing adoption of hardware tokens is making cryptographic
identities independent of machines. And emerging trust bridges are
enabling those identities to be federated among universities, the federal
government, and industry.
On the token front, we're still unfortunately waiting for the ideal key
storage device. USB tokens, smart cards, and cell phones are all
candidates, and the pros and cons of these options form a complex matrix.
Universities tend to prefer the USB approach because the tokens work with
PCs and Macs that can't easily be outfitted with card readers.
No matter what flavor of device, however, the deployment procedure is
critical. This year, several summit attendees talked about moving away
from a model in which the token caches keys that are also stored elsewhere,
to a model in which keys are generated directly on the token and are
stored only there. If you lose your token, you have to reregister for a new
one and get freshly minted keys. Work-arounds are painful experiences that
people won't lightly inflict on themselves a second time.
It sounds draconian, and indeed is, but the benefits are twofold. It
virtually eliminates password sharing, which, as I mentioned last year, is
otherwise rampant. And the required in-person registration is a ceremony
that helps users understand what the token means and how to use it.
On the trust front, a number of initiatives are under way. A handful of
universities and resource providers have been using the Internet2
consortium's Shibboleth to enable users at one institution to access
online resources at another. In March, that trust network was formalized as
the InCommon Federation.
Shibboleth isn't PKI-based, but it can be bridged to PKI systems, and trust
bridges were a hot topic this year. Dartmouth's Scott Rea gave a status
report on the Higher Education Bridge Certification Authority. Peter
Alterman, from the National Institutes of Health, described the Federal
Bridge Certification Authority. Cybertrust's Russ Weiser presented Secure
Access for Everyone, which focuses on the biopharmaceutical industry. And
Jim Jokl, from the University of Virginia, showed how to leverage grid
networks as a trust fabric by exploiting the Globus Toolkit's intrinsic
PKI.
Once these and other bridges can cross-certify, token-borne credentials
issued by one will be recognized -- subject to appropriate policy mapping
-- by the others. A year ago that seemed far-fetched, but the picture is
coming into focus.
Jon Udell is lead analyst and blogger in chief at the InfoWorld Test Center.
--
-
R. A. Hettinga
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
___
Clips mailing list
[EMAIL PROTECTED]
http://www.philodox.com/mailman/listinfo/clips
--- end forwarded text
--
-
R. A. Hettinga
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[pre